Recommended
More Related Content
What's hot
What's hot (20)
Similar to HWallet: The simplest Bitcoin hardware wallet
Similar to HWallet: The simplest Bitcoin hardware wallet (20)
Recently uploaded
Recently uploaded (20)
HWallet: The simplest Bitcoin hardware wallet
- 1. HWallet: The simplest Bitcoin hardware wallet Nemanja Nikodijević Security Researcher
- 2. Hardware wallets STM32F205 HWallet OLED ST31H320 USB STM32F042 OLED USB ATECC508ASTM32L475 OLED USB NXP K20USB NXP K82 OLED Secure MCU Secure Element NDA requiredNDA-free <nemanja@hacke.rs> Hardware Acceleration secp256k1SHA256TRNG Open Source ✓ ✓ ✗ ✗✗✗ ✗✗ ✓✓✓✓ ?✓ ✓ ✓
- 3. Threat model <nemanja@hacke.rs> MCU OLED USB Comm MCU USB Main MCU OLED https://blog.trezor.io/details-about-the-security-updates-in-trezor- one-firmware-1-6-2-a3b25b668e98 https://saleemrashid.com/2018/03/20/breaking-ledger-security-model/ Secure MCU
- 4. Library dependencies STM32 HAL (USB, SPI,I2C, UART) uECC third party libs opensource closed source ST31 Cryptography BOLOS App 0 App n ... libopencm3 (USB, SPI,I2C, UART…) Bootloader & Firmware Bootloader & Firmware Bootloader& SEPROXYHAL nanopb micropython Bootloader& Firmware Trezor Crypto AES Base58 BLAKE2 RIPEMD160 SHA1/2/3 Ed25519 Curve25519 Chacha20 Poly1305 QR encoder Emulator <nemanja@hacke.rs>
- 5. Code size comparison git clone https://github.com/{PRODUCT}/{FIRMWARE} --recurse-submodules cd {FIRMWARE} wc –l `find ./ -name "*.c" -o –name "*.h"` <nemanja@hacke.rs> HWallet 2.5M+ 346k+ 162k+ ~4k122k+ OLED font License headers
- 6. Code layers <nemanja@hacke.rs> UART SPI GPIO LTC MMCAUCRC TRNG https://gitlab.com/nemanjan/hwallet NXP K82 OLED To Communication MCU Tx/Rx speed fixed to 115200 bps SPI bus clocked at 1 MHz Bitcoin TX SHA256D nonce ECDSA: secp256k1 TX Signature
- 7. Code layers <nemanja@hacke.rs> UART SPI GPIO LTC Packet OLED MMCAUCRC TRNG Crypto https://gitlab.com/nemanjan/hwallet typedef struct { uint16_t type; uint16_t length; uint8_t data[32]; uint32_t crc; } Packet; PACKET_Send(); PACKET_Receive(); typedef struct { SPIx* spi; GPIOx* dcGpio; GPIOx* rstGpio; uint8_t dcPin; uint8_t rstPin; uint8_t buffer[ ]; } OLED; OLED_WriteRow(); OLED_Clear(); CRYPTO_Random(); CRYPTO_SHA256(); CRYPTO_ECDSA_Sign(); CRYPTO_ECDSA_GetPublicKey(); typedef struct { uint8_t num[32]; uint8_t len; } Bignum; CRYPTO_Bignum_Init(); CRYPTO_Bignum_Mod(); CRYPTO_Bignum_Div(); CRYPTO_Bignum_Sub(); CRYPTO_Bignum_IsNull(); B' = (1/B) mod N A' = A – A mod B (A/B) mod N = (A'B') mod N N - a large prime, larger than any A or B, e.g. p from secp256k1
- 8. Code layers <nemanja@hacke.rs> UART SPI GPIO LTC Main Loop Packet OLED MMCAUCRC TRNG Crypto https://gitlab.com/nemanjan/hwallet while(1) { Packet msg; PACKET_Receive(&msg); switch(PACKET_MODULE(msg.type)) { case PACKET_BITCOIN: Bitcoin_Process(&msg); ... }; } Module Function Packet type 15 8 7 0
- 9. Code layers <nemanja@hacke.rs> UART SPI GPIO LTC Main Loop Bitcoin ??? Packet OLED MMCAUCRC TRNG Crypto ??? ??? https://gitlab.com/nemanjan/hwallet void Bitcoin_Process(Packet* msg) { switch(PACKET_FUNC(msg->type)) { case BITCOIN_FUNC_INIT_TX: Bitcoin_Tx_Init(); ... }; }
- 11. Can it be even simpler? <nemanja@hacke.rs> UART SPI GPIO LTC Main Loop Bitcoin ??? Packet OLED TRNGCRC Crypto ??? ??? K82 KL82 Cortex-M4 Cortex-M0+ 150 MHz 72 MHz Core Freq Flash RAM 256 kB 128 kB 256 kB 96 kB …and more secure? NXP K82 NXP K81 NXP KL82 NXP KL81 Anti Tamper + =+ NDA
- 12. Expanding functionality: Recovery seed <nemanja@hacke.rs> TRNG BIP-32 BIP-39 BIP-44 Entropy 128-512bit m m/0 m/44' m/i m/44'/0' m/44'/0'/0'/0m/44'/0'/0' ... CKD(x, n) based on HMAC-SHA512 ... 44' = 0x8000002C BTC – 0' … ETH – 60' … XRP – 144' witch collapse practice feed shame open despair creek road again ice least HMAC SHA512 m/44'/0'/0'/0/0 m purpose’ coin_type’ account’ change address_index
- 13. Expanding functionality: FIDO U2F <nemanja@hacke.rs> NXP K20USB NXP K82 NXP K81 nRF52840 NXP KL82 NXP KL81 USB BLE WebAuthn FIDO WebAuthn CTAP CTAP Comm MCU Main MCU Client to Authenticator Protocol
- 14. Благодарю за внимание! Thanks for your attention!